Question No 1:
The guidance Splunk gives for estimating size on for syslog data is 50% of original data size. How does this divide between files in the index?
A. rawdata is: 10%, tsidx is: 40%
B. rawdata is: 15%, tsidx is: 35%
C. rawdata is: 35%, tsidx is: 15%
D. rawdata is: 40%, tsidx is: 10%
Question No 2:
Which of the following tasks should the architect perform when building a deployment plan? (Select all that apply.)
A. Use case checklist.
B. Install Splunk apps.
C. Inventory data sources.
D. Review network topology.
Question No 3:
Which Splunk internal index contains license-related events?
Question No 4:
Of the following types of files within an index bucket, which file type may consume the most disk?
B. Bloom filter
C. Metadata (.data)
D. Inverted index (.tsidx)
Question No 5:
Which search head cluster component is responsible for pushing knowledge bundles to search peers, replicating configuration changes to search head cluster members, and scheduling jobs across the search head cluster?
D. Deployment server
Question No 6:
Because Splunk indexing is read/write intensive, it is important to select the appropriate disk storage solution for each deployment. Which of the following statements is accurate about disk storage?
A. High performance SAN should never be used.
B. Enable NFS for storing hot and warm buckets.
C. The recommended RAID setup is RAID 10 (1 + 0).
D. Virtualized environments are usually preferred over bare metal for Splunk indexers.
Question No 7:
What is the default log size for Splunk internal logs?
B. 20 MB
Question No 8:
The KV store forms its own cluster within a SHC. What is the maximum number of SHC members KV store will form?
Question No 9:
Which of the following commands is used to clear the KV store?
A. splunk clean kvstore
B. splunk clear kvstore
C. splunk delete kvstore
D. splunk reinitialize kvstore
Question No 10:
In search head clustering, which of the following methods can you use to transfer captaincy to a different member? (Select all that apply.)
A. Use the Monitoring Console.
B. Use the Search Head Clustering settings menu from Splunk Web on any member.
C. Run the splunk transfer shcluster-captain command from the current captain.
D. Run the splunk transfer shcluster-captain command from the member you would like to become the captain.
Answer: B D